MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ac21fd5101245c481930e8a5adafb8d2a6b96ba54c5f43cab187059835aa5f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	8ac21fd5101245c481930e8a5adafb8d2a6b96ba54c5f43cab187059835aa5f9
SHA3-384 hash:	766feb4c9f15202af4c5a22424ec342a657969586a3ca4b2539398a7168a9fb832f14e72de878872ed70f60029025a54
SHA1 hash:	c733c7112f9caee7991dc1389011be84056fc495
MD5 hash:	ab23d03dcf23220295648cfb245d2d6d
humanhash:	alabama-hydrogen-don-carbon
File name:	ab23d03dcf23220295648cfb245d2d6d.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	599'040 bytes
First seen:	2021-08-27 14:53:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:wXk6XhlQ70M3HvlvGWE/FckBRi+9wjQPf48a6EzMzPxiDOZ1z4/2fH:wbvGlvGkC
Threatray	906 similar samples on MalwareBazaar
TLSH	T1C9D4FD24697FC419C1E7EEB22DDCA4BBD99A94E3640D76371064A33B8B41B84CE0F479
Reporter	abuse_ch
Tags:	exe RedLineStealer

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://topcracksoft.com/teamviewer-crack-torrent/

Verdict:

Malicious activity

Analysis date:

2021-08-27 14:00:21 UTC

Tags:

trojan evasion loader stealer vidar opendir rat redline

Link:

https://app.any.run/tasks/95855230-d2de-4a90-b7ca-7a74d43cccf6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/182943/

Detection(s):

Win.Packed.Redline-9876022-1

Win.Packed.Redline-9879939-1

Win.Trojan.Generickdz-9882256-0

Win.Trojan.Generickdz-9883081-0

Win.Packed.Generickdz-9888683-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Unauthorized injection to a recently created process

Sending a UDP request

Connection attempt

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca388fcd-ff63-4e26-aeb1-a99c4f8ac965

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/840464

Signature

.NET source code contains very large strings

.NET source code references suspicious native API functions

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ac21fd5101245c481930e8a5adafb8d2a6b96ba54c5f43cab187059835aa5f9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-27 14:54:06 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rlbb7viqcjc4jamtb2ffvwx3ruvgxfv2ktc7ipfldbyfta22ux4q._file

Verdict:

malicious

RedLineStealer

1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776

RedLineStealer

1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d

RedLineStealer

4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c

RedLineStealer

56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482

RedLineStealer

a958a5956297e2ff6ebe698756a401563736aa63fd3c44ff0c5e7deb82134740

RedLineStealer

c62b515006bc08b9c7e66fedb39b4751a20fe34f19a322d7e40447c70937a6d0

RedLineStealer

cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd

RedLineStealer

+ 896 additional samples on MalwareBazaar

Result

Malware family:

redline

Score:

10/10

Tags:

family:redline botnet:dibild2 infostealer

Link:

https://tria.ge/reports/210827-9ah5cpnw12/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Malware Config

C2 Extraction:

135.148.139.222:1494

Unpacked files

SH256 hash:

3d8a227cb6a36a33cd3b74827bfe16463e6c38c473f489b9d81679a2c1960706

MD5 hash:

ba2280043eafe9889eb5fe00499f5014

SHA1 hash:

5dd4edee2b7ed9dde73f62f56796315c4a0d3717

Link:

https://www.unpac.me/results/e62ad87e-d3c3-4c80-bb87-21b53be28fa6/

SH256 hash:

8ac21fd5101245c481930e8a5adafb8d2a6b96ba54c5f43cab187059835aa5f9

MD5 hash:

ab23d03dcf23220295648cfb245d2d6d

SHA1 hash:

c733c7112f9caee7991dc1389011be84056fc495

Link:

https://www.unpac.me/results/e62ad87e-d3c3-4c80-bb87-21b53be28fa6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ac21fd5101245c481930e8a5adafb8d2a6b96ba54c5f43cab187059835aa5f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)